[Samba] Solaris 11 can't join Active Directory Domain

İhsan Doğan ihsan at dogan.ch
Thu Jan 31 01:03:25 MST 2013 

Hi,

On 01/31/2013 03:43 AM, Ong Yu-Phing wrote:

> 1) /etc/krb/krb5.conf
> make sure you have your [realms], [domain_realm] configs correct, e.g.
> if you have a domain called DOMAIN.LOCAL, and a DC server hostname
> dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
> file):

I've verified the krb5.conf and it looks exaclty like yours.

> 2) time
> make sure you ntpdate with your DC to ensure your time is sync

Verified. All in sync.

> 3) LMauth level
> 
> sharectl set -p lmauth_level=4 smb
> 
> depending on your AD forest version, you may need to do either level=2 or 4

Which would be the appropriate version for an AD forest running on Samba
4.0.1?

I've set the lmauth version now to 4:
# sharectl set -p server_lmauth_level=4 smb
# sharectl set -p client_lmauth_level=4 smb

Created the krb5.conf and registered the machine in the AD forest:
# kclient

Starting client setup

---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
        ms_ad: Microsoft Active Directory
        mit: MIT KDC server
        heimdal: Heimdal KDC server
        shishi: Shishi KDC server
Enter required KDC type: ms_ad

Setting up /etc/krb5/krb5.conf.

Attempting to join 'HOST' to the 'DOMAIN.LOCAL' domain.

Password for Administrator at DOMAIN.LOCAL:
Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013
kinit:  no ktkt_warnd warning possible

Forest name found: domain.local

Site name not found.  Local DCs/GCs will not be discovered.

Creating the machine account in AD via LDAP.

Warning: won't create DNS records for client.
ddns_enable property not set to 'true' through sharectl(1M).
---------------------------------------------------
Setup COMPLETE.

So far it looks good. After that, I've tried again to run smbadm:

# smbadm join -u Administrator DOMAIN
After joining DOMAIN the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Locating DC in DOMAIN ... this may take a minute ...
Joining DOMAIN ... this may take a minute ...
Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)
failed to join DOMAIN: UNSUCCESSFUL
Please refer to the system log for more information.

Still no luck, but looks like I've made a step forward.




Ihsan

-- 
ihsan at dogan.ch		http://blog.dogan.ch/

More information about the samba mailing list